A Look at Some of the New Features in BreakingPoint Elite

Today I wanted to take a look at the latest version of BreakingPoint Elite, which is available immediately to BreakingPoint users, and includes more than 30 new features. I thought I would post a few of the features that we featured in the news release and embed a product screencast from CTO Dennis Cox demonstrating some of the features.

1) Dual Stack IPv4/IPv6 Testing Capabilities and Support for Current IPv6 Standards

BreakingPoint has the unique ability to generate blended stateful application traffic mixed with live security attacks at line-rate speeds and high session counts, delivered from the same address space. Using BreakingPoint Elite's IPv6 dual stack testing you get the industry’s most comprehensive and up to date IPv6 capable testing, allowing you to:

• Simulate IPv6 traffic through each testing component including Client Simulator for load testing IPv6 capable application servers.
• Ensure compliance and validate performance with the latest IPv6 standards and blended IPv4 and IPv6 traffic.

2) Capture and Recreate Functionality

BreakingPoint Elite has the largest capture history buffer, with 8 Gigabytes per blade, to reduce the time it takes to debug network equipment and application servers. This latest product upgrade adds in advanced filtering of packet captures to capture and report on only the data needed. This includes:

• Post-processing ability to compress the capture export, allowing you to specify start and end frames.
• Berkley Packet Filter (BPF) capability to isolate traffic by IP address, port, protocol and more.
• Ingress pre-processing filtering parameters based on VLAN ID, Source IP, Destination IP, Source Port and Destination Port.

Additionally you now have the ability to incorporate data originating from a real network into tests, replaying stateful traffic using the TCP stack, including three-way handshakes and any necessary retransmissions. This includes raw playback of traffic to test for common issues with ARP, RARP, TCP/UDP headers, TCP SYN floods, DDoS, invalid packets and more.

3) Pattern Matching (PCRE) for Full Data Validation of Network Security Devices

BreakingPoint Elite regular expression pattern matching validates traffic flows utilizing a user-defined data pattern by comparing that pattern against incoming network traffic. QA and R&D can quickly identify sequence errors and data errors in a network device or application server, including validation that the network equipment is generating the appropriate network traffic. BreakingPoint Elite also supports PERL Compatible Regular Expressions (PCRE), to allow users to match substrings in data packets, as well as provide the ability to store the matched data for future use.

4) Impairment Support for Realistic Wide-Area Network (WAN) Simulation

Support for simulating impairments within IP traffic for realistic WAN simulation by configuring impairments within BreakingPoint Elite Network Neighborhood and easily replicating and fine-tuning for any DUT.

5) Enhanced Test Automation, Reporting and Layer 2/3 Testing Capabilities

More extensive test automation including Attack Plan Iteration that enables security testers to loop security attacks. Also, reporting enhancements include the ability to customize content to be included in reports, and export in additional formats. Finally, numerous Layer 2/3 testing capabilities have been added including UDP and enhanced HTTP support in Session Sender, addressing expansion, stateless TCP in Routing Robot and expanded frame sizes.

Emulate Chinese Peer-to-Peer Protocols - PPLive and QQLive to Test Network Equipment and Application Servers

This morning BreakingPoint announced that we’ve added realistic emulation of the peer-to-peer (P2P) streaming video network PPLive and online television platform QQLive to a growing library of 80+ application protocols. Now BreakingPoint customers can accurately simulate the world’s most used instant messaging, peer-to-peer and video streaming applications when testing network equipment and application servers. Below are more details from the news release:

• PPLive, the world's largest all-video network, is a peer-to-peer streaming video network created in Huazhong University of Science and Technology. PPLive streams live television and film programs on top of hundreds of millions of video clips, films and plays.
• QQLive is an interactive P2P distribution platform for streaming media developed by Tencent, China's largest and most used Internet service portal. QQLive has more than 100 TV channels and can be viewed in a variety of ways including through the Web and desktop programs.
• In October 2008, BreakingPoint introduced emulation of China's QQ IM (Instant Messaging) application, the most used IM application in the world. Today’s addition of QQLive and PPLive provide BreakingPoint users with the most complete and realistic testing of the world's most used peer-to-peer, instant messaging and video streaming applications.
• Overall BreakingPoint provides support for the world’s most popular IM, P2P and video streaming applications, including AIM®, QQIM, Windows Live Messenger, Yahoo!® Messenger, Encrypted BitTorrent™, eDonkey, Gnutella, PPLive and QQLive.

4 Product Bakeoff Pitfalls and How to Avoid Getting Played

Most IT buyers take product data sheet claims with a grain of salt. Capabilities are overblown and performance numbers are guesstimated using only Layer 2/3 or HTTP traffic. We all know this isn't real. So, we don't trick ourselves into believing that the numbers will hold true in a real network.

Beyond the performance numbers, there's also the question of features and functionality. When it comes to network and security equipment, one size does not fit all. Each reacts differently to traffic on your network and offers a unique set of features and performance levels. The top network equipment and server vendors are also combining multi-purpose capabilities to introduce all-in-one products in an effort to differentiate their offerings. Evaluating the best firewall, IPS, or server load balancer to meet your needs just became even more bewildering. How do make head-to-head comparisons with products that operate differently? How do you generate a realistic mix of traffic and still evaluate all of the products with the same mix?

A product bakeoff is the most important step in the hardware evaluation(PDF), negotiation, and planning process because it offers the best way to understand the real capabilities and performance of the devices you are considering for purchase. Yet lack of planning, bad bakeoff behavior, and the use of synthetic traffic often leave buyers with poor decision-making data and a false sense of security. As well all know, a bit of preparation on the front end is always required to get accurate results. Combine that with insider knowledge and you can ensure an accurate and deterministic network device evaluation. Here are 4 product bakeoff secrets every IT buyer should understand before embarking upon any head-to-head product comparison:

1. Bits will bite you. Bit blasting, the use of IMIX or even PCAPs will not give you an accurate view of how a product will perform under load and under attack--in other words--in your network. Mike Hamilton effectively characterizes the problem with IMIX in this post: "Frequently I am asked about UDP "packet blasting", IMIX, RFC 2544 and other testing procedures. My answer is always the same; these testing "methodologies" are not realistic. Testing a firewall with 100% stateless UDP traffic is pointless when the actual traffic it will see consists of a wide variety of applications over both UDP and TCP."

It is absolutely vital that you adequately categorize the makeup of the traffic on your network and simulate these conditions under load during your product bakeoff. As the chart below illustrates, you will likely see several magnitudes of difference in throughput between competing products when exposed to real network traffic.

2. You can have the best of both worlds: realistic and random. Once you've moved up the stack to realistic application layer traffic, you also need to ensure the traffic generated is somewhat random so that you can make direct comparisons between products and generate the same traffic in the same way to produce deterministic results. A pseudo-random mix of traffic will provide more accurate results, help you identify, resolve and validate fixes, and prevent vendors from gaming the system with clever programming tricks. This may sound mutually exclusive, but let me assure you it is not. The answer lies in the use of pseudo random number generator (PRNG).

While most testing products do not provide PRNG capabilities, BreakingPoint leverages PRNG to generate a pseudo-dynamic blend of traffic that is both real and repeatable. Once a seed value is set, BreakingPoint will create data by generating all data variants in the same way for each test executed. You can pick a number and generate the attacks or application traffic the same way every time to run repeated tests on different products or to repeat tests on the same product or network to determine the source or resolution to a problem.

3. Don't be left with a false sense of security. Another important reason to evaluate security equipment with random mix of traffic is because it is the only way to truly evaluate vulnerability vs. exploit variant detection capabilities. It's generally agreed that vulnerability filtering provides superior security coverage. Yet many products can’t perform the complex matching needed to deliver a vulnerability filter. They offer products that are programmed to identify exploits. The problem with this approach is that slight variants of the exploits these systems are programmed to identify can easily bypass the system. Vendors then release new filters and hackers develop new variants to bypass the same vendors again. The Conficker worm is a prime example of new variants bypassing security products every few months.

A dirty little secret of synthetic testing vendors is that their exploits are branded with trademarks or other recognizable content. Vendors can easily exploit this code by programming their products to recognize the code and trigger filters to easily pass product validation. While it may appear that these products are working as promised, this is no indication that the equipment is capable of recognizing and filtering real security attacks in a production network. PRNG eliminates the possibility that devices under test can be programmed to recognize and react to codes embedded in test traffic.

4. Stick to a proven test methodology. One of the challenges for buyers who are structuring their product bakeoff, is the lack of good solid test methodologies for thoroughly validating equipment. They use RFC's that are outdated, specifications become obsolete quickly, and most of the methodologies you’ll find online are many years old. Since they were published, network equipment has evolved, so you need a current product bakeoff test methodology designed specifically for the devices you are evaluating. Here are a few the BreakingPoint Labs team has published: Firewall Testing methodology, Server Load Balancer Testing methodology, IPS Testing methodology and other test methodologies. However, more are needed.

Tip of the Product Bakeoff Iceberg?
These are probably just the start so I’d like to hear your product bakeoff advice and your methodology wish list. By sharing tips, collaborating on test methodologies, and exposing secrets, we can all get the most out of product bakeoffs.

Write and Simulate Your Own Security Strikes for Vulnerability Testing

UPDATE: Mike Hamilton of BreakingPoint is publishing a How-To guide on creating custom strikes.

This morning BreakingPoint announced the availability of the Custom Strike Toolkit, allowing users to write and simulate their own security strikes when testing network equipment and application servers. Below is some additional information from the news release that went out this morning.

• BreakingPoint provides network equipment manufacturers (NEMs), service providers and application server vendors with comprehensive vulnerability testing coverage including:
• BreakingPoint Custom Strike Toolkit providing the ability to write your own security strikes to run on BreakingPoint’s hardware in a matter of hours.
• Custom strikes are included in network simulation tests and can be blended with BreakingPoint’s 4,200+ critical security strikes and full Microsoft Tuesday coverage, along with 80+ application protocols and any protocols created with the BreakingPoint Custom Application Protocol Toolkit.
• BreakingPoint also provides Botnet Command & Control and Distributed Denial of Service (DDoS) simulation, more than 80 evasion techniques and advanced protocol fuzzing.

The Test Insider Newsletter Takes a Look at Cyber Security

UPDATE: Be sure to register for our upcoming Cyber Security Webcast on September 17, 2009.

Our blog is a great source of information and many of you know about our Twitter feed and LinkedIn Group. Today we sent out Volume VI of our email newsletter, "The Test Insider", a resource perhaps you had not known about. To introduce you to The Test Insider I have reprinted half of the stories from the newsletter below. Check it out and if you are interested you can sign up to receive The Test Insider on a regular basis (not to mention we'll ship you our Layer 2-7 testing poster).

Test Insider Volume VI:

"Critical Role of Resiliency Testing to Federal Cyber Security"

The U.S. Government is facing challenges on many different fronts, both foreign and domestic. With so many different simultaneous challenges are we in danger of ignoring perhaps the greatest threat; the gaping holes and vulnerabilities evident in the nation’s cyber infrastructure? The time is now to test the resiliency of the network devices, application servers and overall services provided by the U.S. cyber infrastructure.

In our continuing effort to provide the latest in testing techniques, we have dedicated this volume of The Test Insider to discuss ways in which you can test for network resiliency and help in the cyber security mission. We have compiled articles that tackle the challenges of staying current in IPv6 testing, the keys to making USCYBERCOM a success, the key criteria for resiliency testing and more. Together these informational pieces will help you accurately and more quickly test network devices and application servers to meet the demanding requirements of cyber security.

Enjoy and keep on testing!

Quick Links:

1. Resiliency Testing Critical to U.S. Cyber Infrastructure
2. Testing IPv6? Check Your Expiration Date
3. Four Critical Priorities for USCYBERCOM

1. Resiliency Testing Critical to U.S. Cyber Infrastructure

The U.S. Cyber Infrastructure is hammered by more sophisticated and dangerous attacks, while performance issues caused by immense growth and application complexity only serve to complicate the situation. As the United States Government moves forward with initiatives to protect and improve the cyber infrastructure, testing of network equipment and application servers must evolve to include these unique aspects. This includes the ability to test for resiliency. Read why resiliency testing is critical for protecting the U.S. cyber infrastructure.

2. Testing IPv6? Check Your Expiration Date

The current blend of IPv4 and IPv6 network traffic can have serious repercussions on network device and application server performance and security. Only through testing IPv6-aware firewalls, intrusion detection systems and other network devices using both IPv4 and the most current IPv6 traffic, can you certify device resiliency and meet mandates for IPv6 compliance. IPv6 has changed a lot since the original standards. For example, if your testing tool cites RFC 2462, which many do, your tests are worthless because they are giving you a false sense of IPv6 compliance. One must also question whether the IPv6 testing being done by the National Institute of Standards and Technology (NIST) is using the most current standard.Read about the importance of dual-stack IPv6 testing using the most current standard.

3. Four Critical Priorities for USCYBERCOM

During most of the past year, military and cyber security experts have been calling for the creation of the United States cyber command, or USCYBERCOM, and that has recently become a reality. USCYBERCOM is mandated to address the current risks and "secure freedom of action in cyberspace". On September 1, 2009 the USCYBERCOM will present their initial plan to the Department of Defense. Speaking with industry experts prior to this deadline it is clear that there are several top priorities for USCYBERCOM to address immediately. Review the top four priorities for USCYBERCOM and join the conversation on what should be addressed sooner rather than later.